Detection Method: Exif analysis

Exif analysis looks at embedded metadata in files to uncover suspicious details that could indicate malicious activity. By extracting and analyzing Exif data from images, documents, PDFs, and other attachments, this method can help spot hidden threats that would normally go undetected.
Exif analysis can detect:
  • Document timestamps that don’t match the claimed origin
  • Authorship info that conflicts with the sender’s identity
  • Signs of image or document manipulation
  • Suspicious tools used to create the file
  • Geographical data that’s inconsistent with the expected origin
For example, a phishing email claiming to be an invoice might have metadata showing it was created with unauthorized tools, edited recently, or authored by someone outside the company it’s pretending to be from.
Attack Types (6):
Credential Phishing
Extortion
BEC/Fraud
Malware/Ransomware
Callback Phishing
Spam
Tactics & Techniques (13):
Evasion
PDF
Social engineering
Macros
Impersonation: VIP
Encryption
Impersonation: Brand
Free email provider
Out of band pivot
Exploit
LNK
Scripting
Image as content
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Attachment: Legal themed message or PDF with suspicious indicators
7d ago
Feb 5th, 2026
Sublime Security
Credential Phishing
Extortion
BEC/Fraud
Evasion
PDF
Social engineering
Content analysis
File analysis
Natural Language Understanding
Optical Character Recognition
URL analysis
Whois
Header analysis
Exif analysis
/feeds/core/detection-rules/attachment-legal-themed-message-or-pdf-with-suspicious-indicators-19133301
Attachment: Excel file with document sharing lure created by Go Excelize
14d ago
Jan 29th, 2026
Sublime Security
Credential Phishing
Macros
Social engineering
File analysis
Macro analysis
Content analysis
Exif analysis
/feeds/core/detection-rules/attachment-excel-file-with-document-sharing-lure-created-by-go-excelize-dfaf267f
Attachment: Fake lawyer & sports agent identities
17d ago
Jan 26th, 2026
Sublime Security
BEC/Fraud
Impersonation: VIP
Social engineering
Content analysis
Exif analysis
File analysis
Optical Character Recognition
/feeds/core/detection-rules/attachment-fake-lawyer-and-sports-agent-identities-7d3a2478
Attachment: Password-protected PDF with fake document indicators
22d ago
Jan 21st, 2026
Sublime Security
Malware/Ransomware
Credential Phishing
Encryption
Evasion
PDF
File analysis
YARA
Exif analysis
/feeds/core/detection-rules/attachment-password-protected-pdf-with-fake-document-indicators-b45e4440
Attachment: Invoice and W-9 PDFs with suspicious creators
22d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
PDF
Social engineering
Impersonation: Brand
File analysis
Optical Character Recognition
Exif analysis
Content analysis
/feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32
Callback phishing: AOL senders with suspicious HTML template or PDF attachment
1mo ago
Jan 12th, 2026
Sublime Security
Callback Phishing
Free email provider
Social engineering
Content analysis
Header analysis
File analysis
HTML analysis
Exif analysis
Sender analysis
/feeds/core/detection-rules/callback-phishing-aol-senders-with-suspicious-html-template-or-pdf-attachment-f6044eed
Callback phishing: Social Security Administration fraud
1mo ago
Jan 12th, 2026
Sublime Security
Callback Phishing
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Exif analysis
File analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/callback-phishing-social-security-administration-fraud-a9049d52
Attachment: Excel file with suspicious template identifier
1mo ago
Jan 12th, 2026
Sublime Security
Credential Phishing
Evasion
Macros
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-excel-file-with-suspicious-template-identifier-40f84b4b
Attachment: LNK with embedded content
1mo ago
Jan 12th, 2026
@ajpc500
Malware/Ransomware
Exploit
LNK
Scripting
Content analysis
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-lnk-with-embedded-content-41452f7a
Attachment: Office document with VSTO add-in
1mo ago
Jan 12th, 2026
@vector_sec
Malware/Ransomware
Scripting
Archive analysis
Content analysis
Exif analysis
File analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-office-document-with-vsto-add-in-27afa730
Attachment: PDF file with link to fake Bitcoin exchange
1mo ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Free email provider
Impersonation: Brand
PDF
Social engineering
Exif analysis
File analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/attachment-pdf-file-with-link-to-fake-bitcoin-exchange-47601cb7
Attachment: PowerPoint with suspicious hyperlink
1mo ago
Jan 12th, 2026
Sublime Security
Malware/Ransomware
Evasion
Scripting
Exif analysis
File analysis
/feeds/core/detection-rules/attachment-powerpoint-with-suspicious-hyperlink-0a999fb1
Attachment: PDF with suspicious HeadlessChrome metadata
1mo ago
Jan 8th, 2026
Sublime Security
Credential Phishing
Malware/Ransomware
Evasion
PDF
File analysis
Exif analysis
/feeds/core/detection-rules/attachment-pdf-with-suspicious-headlesschrome-metadata-eda99b1d
Attachment: PDF generated with wkhtmltopdf tool and default title
1mo ago
Dec 19th, 2025
Sublime Security
BEC/Fraud
Callback Phishing
Credential Phishing
Malware/Ransomware
PDF
Evasion
File analysis
Exif analysis
/feeds/core/detection-rules/attachment-pdf-generated-with-wkhtmltopdf-tool-and-default-title-64e6c8a8
Attachment: Encrypted PDF with credential theft body
2mo ago
Dec 1st, 2025
Sublime Security
Credential Phishing
Encryption
Evasion
PDF
Social engineering
Content analysis
Exif analysis
File analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/attachment-encrypted-pdf-with-credential-theft-body-c9596c9a
Attachment: Suspicious PDF created with headless browser
4mo ago
Sep 17th, 2025
Sublime Security
Credential Phishing
Evasion
PDF
Content analysis
Exif analysis
File analysis
Optical Character Recognition
/feeds/core/detection-rules/attachment-suspicious-pdf-created-with-headless-browser-8f3108d7
Attachment: XLSX file with suspicious print titles metadata
4mo ago
Sep 16th, 2025
Sublime Security
Credential Phishing
Evasion
Macros
File analysis
Exif analysis
/feeds/core/detection-rules/attachment-xlsx-file-with-suspicious-print-titles-metadata-4c265cbe
Attachment: Fictitious invoice using LinkedIn's address
5mo ago
Sep 3rd, 2025
Sublime Security
BEC/Fraud
PDF
Social engineering
File analysis
Optical Character Recognition
Natural Language Understanding
Content analysis
Exif analysis
/feeds/core/detection-rules/attachment-fictitious-invoice-using-linkedins-address-aeee3d9f
Spam: Item giveaway spam template
6mo ago
Aug 5th, 2025
Sublime Security
Spam
Image as content
Content analysis
HTML analysis
Sender analysis
Exif analysis
/feeds/core/detection-rules/spam-item-giveaway-spam-template-06a5f93b
Attachment: Callback phishing solicitation via pdf file
6mo ago
Aug 5th, 2025
Sublime Security
Callback Phishing
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Exif analysis
File analysis
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/attachment-callback-phishing-solicitation-via-pdf-file-ac33f097
Page 1 of 2